Skip to content

Commit

Permalink
Add TLS support for Trillian server (google#1525)
Browse files Browse the repository at this point in the history
Signed-off-by: Firas Ghanmi <fghanmi@redhat.com>
  • Loading branch information
fghanmi committed Jul 15, 2024
1 parent 5429c2f commit 7ccd159
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 1 deletion.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

## HEAD

* Add TLS support for Trillian: By using `--trillian_tls_ca_cert_file` flag, users can provide a CA certificate, that is used to establish a secure communication with Trillian log server. In https://github.com/google/certificate-transparency-go/pull/1525

## v1.2.1

### Fixes
Expand Down
37 changes: 36 additions & 1 deletion trillian/migrillian/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,20 @@ package main

import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"flag"
"fmt"
"net/http"
"os"
"path/filepath"
"strings"
"time"

clientv3 "go.etcd.io/etcd/client/v3"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"
"k8s.io/klog/v2"

Expand Down Expand Up @@ -57,6 +61,7 @@ var (

maxIdleConnsPerHost = flag.Int("max_idle_conns_per_host", 10, "Max idle HTTP connections per host (0 = DefaultMaxIdleConnsPerHost)")
maxIdleConns = flag.Int("max_idle_conns", 100, "Max number of idle HTTP connections across all hosts (0 = unlimited)")
tlsCACertFile = flag.String("trillian_tls_ca_cert_file", "", "CA certificate file to use for secure connections with Trillian server")
)

func main() {
Expand All @@ -77,7 +82,11 @@ func main() {
}

klog.Infof("Dialling Trillian backend: %v", *backend)
conn, err := grpc.Dial(*backend, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithBlock())
creds, err := newTrillianTransportCredentialsFromFlags(*backend)
if err != nil {
klog.Exitf("Failed to get credentials: %v", err)
}
conn, err := grpc.Dial(*backend, grpc.WithTransportCredentials(creds), grpc.WithBlock())
if err != nil {
klog.Exitf("Could not dial Trillian server: %v: %v", *backend, err)
}
Expand Down Expand Up @@ -117,6 +126,32 @@ func main() {
core.RunMigration(cctx, ctrls)
}

// newTrillianTransportCredentialsFromFlags returns "creds" of type credentials.TransportCredentials to be
// passed as credentials arguments to grpc.WithTransportCredentials. It configures TLS credentials
// if a CA certificate file is specified, otherwise it uses insecure credentials.
func newTrillianTransportCredentialsFromFlags(backend string) (credentials.TransportCredentials, error) {
var creds credentials.TransportCredentials

if len(*tlsCACertFile) > 0 {
tlsCaCert, err := os.ReadFile(filepath.Clean(*tlsCACertFile))
if err != nil {
return nil, err
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(tlsCaCert) {
return nil, fmt.Errorf("failed to append CA certificate to pool")
}
creds = credentials.NewTLS(&tls.Config{
ServerName: backend,
RootCAs: certPool,
MinVersion: tls.VersionTLS12,
})
} else {
creds = insecure.NewCredentials()
}
return creds, nil
}

// getController creates a single log migration Controller.
func getController(
ctx context.Context,
Expand Down

0 comments on commit 7ccd159

Please sign in to comment.